Review the new software features, open caveats, and resolved caveats sections for information specific to your switch. The information in this document refers to all the switches, unless otherwise noted.

These release notes include important information about this release and any limitations, restrictions, and caveats that apply to it. To verify that these are the correct release notes for your switch:

•If you are installing a new switch, see the Cisco IOS release label on the rear panel of your switch.

This release is part of a special release of Cisco IOS software that is not released on the same 8-week maintenance cycle that is used for other platforms. As maintenance releases and future releases become available, they will be posted to Cisco.com in the Cisco IOS software area.

Cisco IOS Release 12.2(22)EA3 is based on Cisco IOS Release 12.1(22)E4. Open caveats in Cisco IOS Release 12.1(22)E4 also affect Cisco IOS Release 12.2(22)EA3, unless they are listed in the 12.1(22)E3 resolved caveats list. The list of open caveats in Cisco IOS Release 12.1(22)E4 is available at this URL:

Hardware Supported

The Catalyst 2950 switch is supported by either the standard software image (SI) or the enhanced software image (EI). The Catalyst 2950 Long-Reach Ethernet (LRE) and Catalyst 2955 switches are supported only by the EI. The Catalyst 2940 switch supports some of the features supported by a Catalyst 2950 switch.

The EI provides a richer set of features, including access control lists (ACLs), enhanced quality of service (QoS) features, and extended-range VLANs. The enhanced cryptographic software image supports the Secure Shell Version 2 (SSHv2) protocol.

Software Requirements

Table 5 lists the supported operating systems and browsers for using the device manager. The device manager verifies the browser version when starting a session to ensure that the browser is supported.

Cluster Compatibility

You cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the command-line interface (CLI) or the Network Assistant application.

When creating a switch cluster or adding a switch to a cluster, follow these guidelines:

•When you create a switch cluster, we recommend configuring the highest-end switch in your cluster as the command switch.

•If you are managing the cluster through Network Assistant, the switch that has the latest software should be the command switch, unless your command switch is running Cisco IOS Release 12.1(19)EA1 or later.

•The standby command switch must be the same type as the command switch. For example, if the command switch is a Catalyst 3750 switch, all standby command switches must be Catalyst 3750 switches.

For additional information about clustering, see Getting Started with Cisco Network Assistant and Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com), the software configuration guide, and the command reference.

Upgrading the Switch Software

Before downloading software, read this section for important information. This section describes these procedures for downloading software:

When you upgrade a switch, the switch continues to operate while the new software is copied to flash memory. If flash memory has enough space, the new image is copied to the selected switch but does not replace the running image until you reboot the switch. If a failure occurs during the copy process, you can still reboot your switch by using the old image. If flash memory does not have enough space for two images, the new image is copied over the existing one. Features provided by the new software are not available until you reload the switch.

If a failure occurs while copying a new image to the switch, and the old image has already been deleted, see the "Recovering from Corrupted Software" section in the "Troubleshooting" chapter of the software configuration guide for this release.

For information about upgrading the LRE switch firmware, see the "Upgrading LRE Switch Firmware" section in the software configuration guide for this release.

Caution A bootloader upgrade occurs if you are upgrading Catalyst 2950 switches running Cisco IOS Release 12.1(9)EA1d or earlier to Cisco IOS Release 12.1(11)EA1 or later for both cryptographic and noncryptographic images. The bootloader can take up to 30 seconds to upgrade. Do not power cycle the switch while you are copying this image to the switch. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

Caution Do not power cycle the switch while you are copying an image to the switch. If a power failure occurs while you are copying the software image to the switch, and there are no other images on the switch, see the "Troubleshooting" chapter in the software configuration guide for detailed recovery procedures.

Finding the Software Version and Feature Set

The image is stored as a bin file in a directory that is named with the Cisco IOS release. A subdirectory contains the files needed for web management. The image is stored on the system board flash device (flash:).

You can use the show version user EXEC command to see the software version that is running on your switch. In the display, check the line that begins with System image file is. This line shows the directory name in flash memory where the image is stored. A couple of lines below the image name, you see Running Enhanced Image ifyou are running the EI or Running Standard Image ifyou are running the SI.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images that you might have stored in flash memory.

Deciding Which Files to Download from Cisco.com

The upgrade procedures in these release notes describe how to perform the upgrade by using a combined tar file. This file contains both the Cisco IOS image file and the embedded device manager files. You must use the combined tar file to upgrade the switch through the device manager.

The tar file is an archive file from which you can extract files by using the archive tar command.

Note If you are upgrading a non-LRE Catalyst 2950 switch from a release earlier than Cisco IOS Release 12.1(6)EA2, use the tar command instead of the archive tar command.

Table 6 lists the software filenames for this release. These files are posted on Cisco.com.

Downloading the Software

This procedure is for copying the combined tar file to a switch. You copy the file to the switch from a TFTP server and extract the files. You can download an image file and replace or keep the current image.

Follow these steps to download the software from Cisco.com to your management station:

Step 1 Download the files from one of these locations:

Go to this URL and log in to download the appropriate files:

http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

To download the files, click the link for your switch platform, and then follow the links on the page to select the correct tar image file.

Step 2 Use the CLI or web-based interface to perform a TFTP transfer of the file or files to the switch after you have downloaded them to your PC or workstation.

New features provided by the software are not available until you reload the software.

Copying the Current Startup Configuration from the Switch to a PC or Server

When you make changes to a switch configuration, your changes become part of the running configuration. When you enter the command to save those changes to the startup configuration, the switch copies the configuration to the config.text file in flash memory. To ensure that you can recreate the configuration if a switch fails, you might want to copy the config.text file from the switch to a TFTP server.

Beginning in privileged EXEC mode, follow these steps to copy a switch configuration file to the TFTP server.

Step 1 Copy the file in flash memory to the root directory of the TFTP server:

switch# copy flash:config.text tftp

Step 2 Enter the IP address of the device where the TFTP server resides:

Address or name of remote host []? ip_address

Step 3 Enter the name of the destination file (for example, config.text):

Destination filename [config.text]? yes/no

Step 4 Verify the copy by displaying the contents of the root directory on the TFTP server.

Using the CLI to Upgrade a Catalyst 2950 LRE or Catalyst 2940 Switch

Use this procedure for upgrading your Catalyst 2950 LRE or Catalyst 2940 switch by using the archive download-sw privileged EXEC command to automatically extract and download the Cisco IOS image and the device manager files to the switch. The archive download-sw command initiates this process:

•It verifies adequate space on the flash memory before downloading the new set of images.

•If there is insufficient space on the flash memory to hold both the old and the new images, it deletes the old set of images. The images are always stored in a subdirectory on the flash memory. The subdirectory name is the same as the image release name, for example, flash:/c2940-i6q412-tar.121.22.EA3/

•It replaces the old set of images with the new set of images. The set includes the Cisco IOS image and the device manager files and, on Catalyst 2950 LRE switches, the LRE firmware files. You do not have to manually delete the device manager directory from flash memory.

•After the new set of files is downloaded, it automatically sets the BOOT environment variable.

•If you enter the command with the /reload or the /force-reload option, it automatically reloads the switch after the upgrade.

For further information on this command, see the command reference for this release.

Follow these steps to upgrade the switch software by using a TFTP transfer:

Step 1 If your PC or workstation cannot act as a TFTP server, copy the file to a TFTP server to which you have access.

Step 2 Log into the switch by starting a Telnet session or by connecting to the switch console port through the RS-232 connector.

To start a Telnet session on your PC or workstation, enter this command:

server% telnet switch_ip_address

Enter the Telnet password if you are prompted to do so.

Step 3 Enter privileged EXEC mode:

switch> enable
switch#

Enter the password if you are prompted to do so.

Step 4 Ensure that you have IP connectivity to the TFTP server by using this privileged EXEC command:

Switch# pingtftp-server-address

For more information about assigning an IP address and default gateway to the switch, see the software configuration guide for this release.

Step 5 Download the image file from the TFTP server to the switch. If you are installing the same version of software that is currently on the switch, overwrite the current image by using this privileged EXEC command:

You can also download the image file from the TFTP server to the switch and keep the current image by replacing the /overwrite option with the /leave-old-sw option.

Your Telnet session ends when the switch reloads.

After the switch reboots, use Telnet to return to the switch, and enter the show version user EXEC command to verify the upgrade procedure. If you have a previously opened browser session to the upgraded switch, close the browser, and start it again to ensure that you are using the latest HTML files.

Using the CLI to Upgrade a Catalyst 2955 Switch or Non-LRE Catalyst 2950 Switch

Use this procedure for upgrading your Catalyst 2955 or non-LRE Catalyst 2950 switch by copying the tar file to the switch. You copy the Cisco IOS image and the device manager files to the switch from a TFTP server and then extract the files by entering the archive tar command, with these results:

•Changes the name of the current image file to the name of the new file that you are copying and replaces the old image file with the new one. Perform this step only if you have space available on your switch.

•Disables access to the device manager pages and deletes the existing device manager files before the software upgrade to avoid a conflict if users access the web pages during the software upgrade.

•Re-enables access to the device manager pages after the upgrade is complete.

Caution A bootloader upgrade occurs if you are upgrading Catalyst 2950 switches running Cisco IOS Release 12.1(9)EA1d or earlier to Cisco IOS Release 12.1(11)EA1 or later for both cryptographic and noncryptographic images. The bootloader can take up to 30 seconds to upgrade. Do not power cycle the switch while you are copying this image to the switch. If a power failure occurs when you are copying this image to the switch, call Cisco Systems immediately.

Before downloading the new image, use the dir user EXEC command to confirm that you have enough space on the flash. The new image and HTML files will be slightly larger than the size of the tar file.

If you do not have enough space on the flash for the tar file, delete any old unused IOS images. If that does not free up enough flash space, delete the HTML files.

Caution Do not delete the image that you are currently running on the switch. If the switch fails while downloading the new image, you will need to use this.Follow these steps to upgrade the switch software by using a TFTP transfer:

Step 1 If your PC or workstation cannot act as a TFTP server, copy the file to a TFTP server to which you have access.

Step 2 Log into the switch by starting a Telnet session or by connecting to the switch console port through the RS-232 connector.

To start a Telnet session on your PC or workstation, enter this command:

server% telnet switch_ip_address

Enter the Telnet password if you are prompted to do so.

Step 3 Enter privileged EXEC mode:

switch> enable
switch#

Enter the password if you are prompted to do so.

Step 4 Remove the switch HTML files:

switch# delete /r /f flash:html

where /r is for /recursive and /f is for /force. This command deletes all the switch HTML files and subdirectories.

Press Enter to confirm the deletion of each file. Do not press any other keys during this process.

Step 5 Enter this command to copy the new image and the device manager files to flash memory:

Caution In this step, the
archive tar command copies the tar file that contains both the image and the device manager files. If you are upgrading from a release earlier than Cisco IOS Release 12.1(6)EA2, use the
tar command instead of the
archive tar command.

switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Step 8 Enter the boot command with the name of the new image filename:

switch(config)# boot system flash:new_image

For example:

switch(config)# boot system flash:c2950-i6q4l2-mz.121-13.EA1c.bin

Note If the show boot command entered in Step 6 displays no image name, you do not need to enter this command; the switch automatically finds the correct file to use when it resets.

Step 9 Return to privileged EXEC mode:

switch(config)# end

Step 10 Reload the new software with this command:

switch# reload
System configuration has been modified. Save? [yes/no]:y
Proceed with reload? [confirm]

Step 11 Press Return to confirm the reload.

Your Telnet session ends when the switch reloads.

After the switch reboots, use Telnet to return to the switch, and enter the show version user EXEC command to verify the upgrade procedure. If you have a previously opened browser session to the upgraded switch, close the browser, and start it again to ensure that you are using the latest device manager files.

Recovering from Software Failure

If the software fails, you can reload the software. For detailed recovery procedures, see the "Troubleshooting" chapter in the software configuration guide for your switch.

Installation Notes

You can assign IP information to your switch by using one of these methods:

For more information about the guest VLAN feature, see the Catalyst 2950 Switch Software Configuration Guide and the Catalyst 2950 Switch Command Reference for Cisco IOS Release 12.1(22)EA2 at this URL:

Limitations and Restrictions

You should review this section before you begin working with the switches. These are known limitations that will not be fixed, and there is not always a workaround. Some features might not work as documented, and some features could be affected by recent changes to the switch hardware or software.

Cisco IOS Limitations and Restrictions

These limitations and restrictions apply to the Cisco IOS configuration:

•Root guard is inconsistent when configured on a port that is in the STP blocked state at the time of configuration. (CSCdp85954)

•Aging of dynamic addresses does not always occur exactly after the specified aging time elapses. It might take up to three times this time period before the entries are removed from the table. (CSCdr96565)

•Internal loopback in half-duplex mode causes input errors. We recommend that you configure the PHY to operate in full duplex before setting the internal loopback. (CSCds20365)

•If the switch gets configured from the dynamic IP pool, a duplicate or different IP address might be assigned.

The workaround is to make sure that the DHCP server contains reserved addresses that are bound to each switch by the switch hardware address so that the switch does not obtain its IP address from the dynamic pool. (CSCds58369)

•A source-based distribution port group does not share the broadcast with all the group members. When the destination of the packets is a broadcast or unknown unicast or multicast, the packets are forwarded only on one port member of a port group, instead of being shared among all members of the port group. (CSCdt24814)

•When you enter the show controllers ethernet-controller interface-id or show interfaces interface-id counters privileged EXEC command, if a large number of erroneous frames are received on an interface, the receive-error counts might be smaller than the actual values, and the receive-unicast frame count might be larger than the actual frame count. (CSCdt27223)

•Two problems occur when a switch is in transparent mode:

–If the switch is a leaf switch, any new VLANs added to it are not propagated upstream through VTP messages. As a result, the switch does not receive flooded traffic for that VLAN.

–If the switch is connected to two VTP servers, it forwards their pruning messages. If the switch has a port on a VLAN that is not requested by other servers through their pruning messages, it does not receive flooded traffic for that VLAN.

There is no workaround. (CSCdt48011)

•The receive count output for the show controllers ethernet-controllerinterface-id privileged EXEC command shows the incoming packets count before the ASIC makes a decision of whether to drop the packet or not. Therefore, for ports in the STP blocking states, even though the receive count shows incoming frames, the packet is not forwarded to the other port. (CSCdu83640)

•In some network topologies, when UplinkFast is enabled on all switches and BackboneFast is not enabled on all switches, a temporary loop might be caused when the STP root switch is changed.

The workaround is to enable BackboneFast on all switches. (CSCdv02941)

•At times, the Window XP pop-up window might not appear while authenticating a client (supplicant) because the user information is already stored in Windows XP. However, the Extensible Authentication Protocol over LAN (EAPOL) response to the switch (authenticator) might have an empty user ID that causes the 802.1x port to be unauthenticated.

The workaround is to manually re-initiate authentication by either logging off or detaching the link and then reconnecting it. (CSCdv19671)

•If two Catalyst 2950 switches are used in a network and if access ports are used to connect two different VLANs whose VLAN IDs are separated by the correct multiple of 64, it is possible to create a situation where the two switches use the same bridge ID in the same spanning-tree instances. This might cause a loss of connectivity in the VLAN as the spanning tree blocks the ports that should be forwarding.

The workaround is to not cross-connect VLANs. For example, do not use an access port to connect VLAN 1 to VLAN 65 on either the same switch or from one switch to another switch. (CSCdv27247)

•A command switch might not show the Catalyst 1900, Catalyst 2820, and Catalyst 2900 XL 4-MB (models C2908-XL, C2916M-XL, C2924C-XL, and C2924-XL) switches as candidates even though their management VLAN is the same as the command switch. This occurs only when their management VLAN is not VLAN 1. (CSCdv34505)

•You can configure up to 256 Multicast VLAN Registration (MVR) groups by using the mvr vlan group interface configuration command, but only 255 groups are supported on a Catalyst 2950 switch at one time. If you statically add a 256th group, and 255 groups are already configured on the switch, it continues trying (and failing) to add the new group.

The workaround is to set the mode to dynamic for Catalyst 2950 switches that are connected to IGMP-capable devices. The new group can join the multicast stream if another stream is dynamically removed from the group. (CSCdv45190)

•A Catalyst 2950 command switch can discover only the first Catalyst 3550 switch if the link between the Catalyst 3550 switches is an 802.1Q trunk and the native VLAN is not the same as the management VLAN of the Catalyst 2950 switch or if the link between the Catalyst 3550 switches is an Inter-Switch Link (ISL) trunk and the management VLAN is not VLAN 1.

The workaround is to connect Catalyst 3550 switches by using the access link on the command switches management VLAN or to configure an 802.1Q trunk with a native VLAN that is the same as the management VLAN of the command switch. (CSCdv49871)

•There might be a link on the Fast Ethernet port of the Catalyst 2950 switch when it is forced to 10 Mbps and full-duplex mode and its link partner is forced to 100 Mbps and forced duplex mode. The LED on the Catalyst 2950 switch might display the link, and the error counters might increment.

The workaround is to configure both sides of a link to the same speed or use autonegotiation. (CSCdv62271)

•The ip http authentication enable global configuration command is not saved to the configuration file because this is the default configuration. Therefore, this configuration is lost after a reboot.

The workaround is to manually enter the command again after a reboot. (CSCdv67047)

•If a stack that has Catalyst 2955, Catalyst 2950, or Catalyst 2940 switches also has Catalyst 2900 XL or Catalyst 3500 XL switches, cross-stack UplinkFast (CSUF) does not function if the management VLAN on the Catalyst 2900 XL or Catalyst 3500 XL switches is changed to a VLAN other than VLAN 1 (the default).

The workaround is to make sure that the management VLANs of all Catalyst 2900 XL or 3500 XL switches in the stack are set to VLAN 1. (CSCdv82224)

•If a port is configured as a secure port with the violation mode as restrict, the secure ports might process packets even after maximum limit of MAC addresses is reached, but those packets are not forwarded to other ports. (CSCdw02638)

•The discarded frames count of the show controllers ethernet-controller privileged EXEC command output and the ignored count of the show controller ethernet privileged EXEC command output can increment for these reasons:

–The source and destination ports are the same.

–The spanning-tree state of the ingress port is not in the forwarding state.

–Traffic is filtered because of unicast or multicast storms are on the port.

–Traffic is dropped because a VLAN has not been assigned by VLAN Query Protocol (VQP).

Note This error occurs only on switches that can run Cisco IOS Release 12.0(5)WC2b or earlier.

There is no workaround. (CSCdw48441)

•You can apply ACLs to a management VLAN or to any traffic that is going directly to the CPU, such as SNMP, Telnet, or web traffic. For information on creating ACLs for these interfaces, see the "Configuring IP Services" section of the Cisco IOS IP and IP Routing Configuration Guide for Cisco IOS Release 12.1 and the Cisco IOS IP and IP Routing Command Reference for Cisco IOS Release 12.1.

•The SSH feature uses a large amount of switch memory, which limits the number of VLANs, trunk ports, and cluster members that you can configure on the switch. Before you download the cryptographic software image, your switch configuration must meet these conditions:

–The number of trunk ports multiplied by the number of VLANs on the switch must be less than or equal to 128. These are examples of switch configurations that meet this condition:

If the switch has 2 trunk ports, it can have up to 64 VLANs.

If the switch has 32 VLANs, it can have up to 4 trunk ports.

–If your switch is a cluster command switch, it can only support up to eight cluster members.

Note A switch that runs the SI cannot run the cryptographic image. If a cryptographic image is loaded on an SI-only switch, the switch will perform a forced reload.

If your switch has a saved configuration that does not meet the previous conditions and you upgrade the switch software to the cryptographic software image, the switch might run out of memory. If this happens, the switch does not operate properly. For example, it might continuously reload.

The workaround is to check your switch configuration and ensure that it meets the previous conditions. (CSCdw66805)

•When you use the policy-map global configuration command to create a policy map, and you do not specify any action for a class map, the association between that class map and policy map is not saved when you exit policy-map configuration mode.

The workaround is to specify an action in the policy map. (CSCdx75308)

•When the Internet Group Management Protocol (IGMP) Immediate Leave is configured, new ports are added to the group membership each time a join message is received, and ports are pruned (removed) each time a leave message is received.

If the join and leave messages arrive at high rate, the CPU can become busy processing these messages. For example, the CPU usage is approximately 50 percent when 50 pairs of join and leave messages are received each second. Depending on the rate at which join and leave messages are received, the CPU usage can go very high, even up to 100 percent, as the switch continues processing these messages.

The workaround is to only use the Immediate Leave processing feature on VLANs where a single host is connected to each port. (CSCdx95638)

•A switch does not use the default gateway address in the DHCP offer packet from the server during automatic-install process.

The workaround is to manually assign an IP address to the switch. (CSCdy08716)

•In a Remote Switched Port Analyzer (RSPAN) session, if at least one switch is used as an intermediate or destination switch and if traffic for a port is monitored in both directions, traffic does not reach the destination switch.

These are the workarounds:

–Use a Catalyst 3550 or Catalyst 6000 switch as an intermediate or destination switch.

–Monitor traffic in only one direction if a Catalyst 2950 switch is used as an intermediate or destination switch. (CSCdy38476)

•If you assign a nonexistent VLAN ID to a static-access EtherChannel by setting the ciscoVlanMembershipMIB:vmVlan object, the switch does not create the VLAN in the VLAN database. (CSCdy65850)

The workaround is to configure the port as a static access port. (CSCdz32556)

•The output from the show stack privileged EXEC command might show a large number of false interrupts.

There is no workaround. The number of interrupts does not affect the switch functionality. (CSCdz34545)

•If you configure a static secure MAC address on an interface before enabling port security on the interface, the same MAC address is allowed on multiple interfaces. If the same MAC address is added on multiple ports before enabling port security and port security is later enabled on those ports, only the first MAC address can be added to the hardware database. If port security is first enabled on the interface, the same static MAC address is not allowed on multiple interfaces. (CSCdz74685)

•In Cisco IOS Release 12.1(13)EA1 or later, these are the default settings for a IP Phone connected to a switch:

–The port trust state is to not trust the priority of frames arriving on the IP Phone port from connected devices.

–The CoS value of incoming traffic is overwritten and set to zero. (CSCdz76915)

•If you press and hold the spacebar while the output of any show user EXEC command is being displayed, the Telnet session is stopped, and you can no longer communicate with the management VLAN.

These are the workarounds:

–Enter the show commands from privileged EXEC mode, and use this command to set the terminal length to zero:

switch# terminal length 0

–Open a Telnet session directly from a PC or workstation to the switch.

–Do not hold down the spacebar while scrolling through the output of a show user EXEC command. Instead, slowly press and release the spacebar. (CSCea12888)

•When you connect a switch to another switch through a trunk port and the number of VLANs on the first switch is lower than the number on the connected switch, interface errors are received on the management VLAN of the first switch.

The workaround is to match the configured VLANs on each side of the trunk port. (CSCea23138)

•When you enable Port Fast on a static-access port and then change the port to dynamic, Port Fast remains enabled. However, if you change the port back to static, Port Fast is disabled.

The workaround is to configure Port Fast globally by using the spanning-tree portfast global configuration command. (CSCea24969)

•When using the SPAN feature, the monitoring port receives copies of sent and received traffic for all monitored ports. If the monitoring port is oversubscribed, it will probably become congested. This might also affect how one or more of the monitored ports forwards traffic.

•When a 10/100 switch port is connected to a 10/00 port on a hub and another 10/100 port on the hub is connected to a 10/100 port on another switch, when one of the switches restarts, the link state might change from down to up, and these messages might appear:

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Then the switch that restarted does not forward traffic until the spanning-tree state enters the forwarding state. This can occur on a switch running Cisco IOS Release 12.1(13)EA1 or later. (CSCea47230)

•On a Catalyst 2940 switch, when a 1000BASE-T SFP module is inserted in the SFP module slot, the output of the show interface capabilities privileged EXEC command incorrectly shows that the interface supports 10 Mbps, 100 Mbps, and 1000 Mbps. The SFP module supports only 1000 Mbps. (CSCeb31239)

•After a topology change in STP, some terminals connected to the management VLAN can transfer data because the affected switch ports start forwarding before they move to the forwarding state.

Note If the terminal does not belong to management VLAN, this failure does not occur.

The workaround is to place the ports in static-access mode for a single VLAN, if the topology supports this configuration. (CSCec13986)

•When you use only Catalyst 2950 switches for RSPAN, you cannot monitor traffic in the receive (Rx) direction. You can only monitor traffic in the transmit (Tx) direction.

There is no workaround. (CSCed19922)

•When connected to some third-party devices that send early preambles, a switchport operating at 100 Mbps full duplex or 100 Mbps half duplex might bounce the line protocol up and down. The problem is observed only when the switch is receiving frames.

The workaround is to configure the port for 10 Mbps and half duplex or to connect a hub or a nonaffected device to the switch. (CSCed39091)

•If a switch receives STP packets and non-STP packets that have a CoS value of 6 or 7 and all of these packets belong to the same management VLAN, a loop might occur.

These are the workarounds:

–Change the CoS value of the non-STP packets to a value other than 6 or 7.

–If the CoS value of the non-STP packets must be 6 or 7, configure these packets to belong to a VLAN other than the management VLAN. (CSCed88622)

•If packets with a bad CRC are received on a port, the switch might learn the source MAC address of the bad packet.

There is no workaround. (CSCef15178)

•Certain combinations of features and switches create conflicts with the port security feature. In Table 7, No means that port security cannot be enabled on a port on the referenced switch if the referenced feature is also running on the same port. Yes means that both port security and the referenced feature can be enabled on the same port on a switch at the same time. Adash means not applicable.

5You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN.

LRE Limitations and Restrictions

These limitations and restrictions apply only to Catalyst 2950 LRE switches:

•VLAN-tagged packets from multiple VLANs with the same source MAC address that are received on different Cisco 585 LRE CPE Ethernet ports create a single MAC address entry (ingress port entry). Any network designed with the assumption that MAC addresses are maintained per VLAN does not work.

There is no workaround. The Ethernet port on the Cisco 585 LRE CPE does not support VLANs. All the ports are assumed to be in the same VLAN. (CSCdx03708)

•Maximum-sized ISL frames (frames between 1537 and 1544 bytes) are discarded by the CPE device on ingress interfaces. Some chips and switches on the CPE device support a maximum frame size of 1536 bytes, which causes any maximum-sized ISL frames coming into the CPE from an end device or from an LRE switch to be discarded.

There is no workaround. You must ensure that the network does not send ISL tagged frames of sizes between 1537 and 1544 bytes to an LRE switch. (CSCdx25940)

•The system runs out of memory and fails after too many RMON buckets are requested.

There is no workaround; only 1000 buckets per interface are supported. (CSCdy38390)

•The flow control autonegotiation settles in the incorrect outcome if you use a Cisco-made 1000BASE-T GBIC with any switch not listed in Table 1 of the 1000BASE-T GBIC Switch Compatibility Matrix:

•The Cisco 585 LRE CPE has four Fast Ethernet ports. When the CPE is connected to an LRE switch, the default value for the maximum number of secure MAC addresses is 1. You can use the show port-security command to display the current maximum value.

The workaround is to use the switchport port-security maximum value interface configuration command to change the default value. For interfaces connected to Cisco 575 LRE and Cisco 576 LRE 997 CPEs, the default value can be 1. For interfaces connected to Cisco 585 LRE CPEs, the value can be 5 because the CPE has four Fast Ethernet ports and one additional MAC address. (CSCdy73748)

•The Cisco 575 LRE or the Cisco 576 LRE 997 CPE does not support all of the Fast Ethernet statistics displayed by the show controllers ethernet-controller longreachethernet interface-id cpe command. The Cisco 585 LRE CPE supports all the LRE and CPE Fast Ethernet statistics.

There is no workaround. These CPE Fast Ethernet statistics are supported by the Cisco 575 LRE CPE and the Cisco 576 LRE 997 CPE (CSCdy89348):

1 Transmit receive 0 bytes

0 Bytes

0 Unicast frames

0 Broadcast frames

0 Pause frames

0 Alignment errors

0 One collision frames

0 Multiple collisions

0 Undersize frames

0 Late collisions

0 Oversize frames

0 Excess collisions

0 FCS errors

0 Deferred frames

•When the entPhysicalTable object is retrieved, the copper physical entry is not included.

There is no workaround. (CSCdz06748)

•When an 802.1x protocol-enabled client attempts to connect to a Catalyst 2950 LRE switch through a Cisco 585 LRE CPE with 802.1x configured on a port, the client cannot be authenticated. This problem does not affect the Cisco 575 LRE CPE or the Cisco 576 LRE 997 CPE. The show dot1x interface interface configuration command displays the port state as unauthorized. (CSCdz22965)

•When a Fast Ethernet port on a Cisco 585 LRE CPE is in half-duplex mode and the rate at which the port receives packets is higher than rate at which it can forward packets, the Pause Frames counter for the CPE port increments.

There is no workaround. (CSCea41362)

•On a Catalyst 2950 LRE switch running Cisco IOS Release 12.1(11)YJ4 or later, a Cisco 575 LRE CPE or a Cisco 576 LRE 997 CPE that does not have an LRE link but is connected to a remote device through the Ethernet link might see repeated flaps on the Ethernet link. This does not occur on a Cisco 585 LRE CPE. (CSCeb01097)

•When a Cisco Catalyst 2950 LRE running Cisco IOS 12.1(14)EA1 or Cisco IOS 12.1(11)YJ is connected to Cisco 575 LRE CPE, the Fast Ethernet link on the CPE port fails to activate if you change the CPE speed setting from 10 to 100 Mbps while the CPE duplex mode is set to half or full.

The workaround is to reset the CPE port by using the cpe shutdown followed by the no cpe shutdown interface configuration command. This activates the Fast Ethernet link on the CPE port. (CSCeb35007)

•When you shut down the 100BASE-FX port on the Catalyst 2950 switch, the upstream switch does not detect loss of link and the line protocol stays up/up.

There is no workaround to the issue itself. However you can use aggressive mode UDLD when suitable. (CSCee57059)

Device Manager Limitations and Restriction

These device manager limitations and restrictions:

•This release supports the same switch cluster compatibilities supported in Cisco IOS Release 12.1(22)EA1. However, you cannot create and manage switch clusters through the device manager. To create and manage switch clusters, use the CLI or the Cisco Network Assistant application. For information about Network Assistant, see the "New Features" section.

•When you are prompted to accept the security certificate and you click No, you see only a blank screen, and the device manager does not launch.

The workaround is to click Yes when you are prompted to accept the certificate. (CSCef45718)

Catalyst 2950 Hardware and Software Compatibility Matrixes

Some Catalyst 2950 switches are not supported by certain software releases.

Table 8 lists the Catalyst 2950-12, 2950-24, 2950C-24, and 2950T-24 switches and the software releases supporting them. The serial numbers are on the switch rear panel. In this table, Yes means that the switch is supported by the software release; No means that the switch is not supported by the release.

Cisco IOS Notes

These are the important Cisco IOS configuration notes related to this release:

•In Cisco IOS Release 12.1(14)EA1, the implementation for 802.1x changed from the previous release. Some global configuration commands became interface configuration commands, and new commands were added.

If you have 802.1x configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later, the configuration file will not contain the new commands, and 802.1x will not operate. After the upgrade is complete, make sure to globally enable 802.1x by using the dot1x system-auth-control global configuration command. For more information, see the software configuration guide for this release.

•When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to 2 plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the IP phone requires up to two MAC addresses. The IP address of the phone is learned on the voice VLAN, and it might or might not be learned on the access VLAN. Connecting a PC to the IP phone requires additional MAC addresses.

•IGMP filtering controls only group specific query and membership reports, including join and leave reports. It does not control general IGMP queries.

•The management interface configuration command is not supported in Cisco IOS Release 12.1(6)EA2 or later. To shut down the current management VLAN interface and to enable the new management VLAN interface, use the shutdown and no shutdown interface configuration commands. See the Catalyst 2950 and Catalyst 2955 Switch Command Reference for information about using the shutdown interface configuration command.

•When an 802.1x-authenticated client is disconnected from an IP phone, hub, or switch and does not send an EAPOL-Logoff message, the switch interface does not change to the unauthorized state. If this happens, it can take up to 60 minutes for the interface to change to the unauthorized state when the re-authentication time is the default value (3600 seconds).

The workaround is to change the number of seconds between re-authentication attempts by using the dot1x timeout re-authperiodseconds global configuration command. (CSCdz38483)

•The guest VLAN might not assign a DHCP address to some clients. This is a problem with the 802.1x client, not with the switch.

The workaround is to either release and renew the IP address or to change the default timers. These examples show typical interface timer changes:

dot1x timeout quiet-period 3

dot1x timeout tx-period 5

Device Manager Notes

These notes apply to the device manager:

•We recommend this browser setting to speed up the time to display the device manager from Microsoft Internet Explorer.

From Microsoft Internet Explorer:

1. Choose Tools > Internet Options.

2. Click Settings in the "Temporary Internet files" area.

3. From the Settings window, choose Automatically.

4. Click OK.

5. Click OK to exit the Internet Options window.

•The HTTP server interface must be enabled to display the device manager. By default, the HTTP server is enabled on the switch. Use the show running-config privileged EXEC command to see if the HTTP server is enabled or disabled.

Configure the HTTP server interface for the type of authentication that you want to use.

•enable—Enable password, which is the default method of HTTP server user authentication, is used.

•local—Local user database, as defined on the Cisco router or access server, is used.

•tacacs—TACACS server is used.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

•The device manager uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its Ethernet ports and to allow switch management from a standard web browser.

If you change the HTTP port, you must include the new port number when you enter the IP address in the browser Location or Address field (for example, http://10.1.126.45:184 where 184 is the new HTTP port number). You should write down the port number through which you are connected. Use care when changing the switch IP information.

If you are not using the default method of authentication (the enable password), you need to configure the HTTP server interface with the method of authentication used on the switch.

Configure the HTTP server interface for the type of authentication that you want to use.

•enable—Enable password, which is the default method of HTTP server user authentication, is used.

•local—Local user database, as defined on the Cisco router or access server, is used.

•tacacs—TACACS server is used.

Step 3

end

Return to privileged EXEC mode.

Step 4

show running-config

Verify your entries.

•If you use Internet Explorer Version 5.5 and select a URL with a nonstandard port at the end of the address (for example, www.cisco.com:84), you must enter http:// as the URL prefix. Otherwise, you cannot launch the device manager.

Open Caveats

Note All open caveats listed in these sections apply to the Catalyst 2955, Catalyst 2950, and Catalyst 2940 switches unless otherwise noted.

Open Cisco IOS Caveats

These are the open Cisco IOS configuration caveats:

•CSCdx95501

When a community string is assigned by the cluster command switch, you cannot get any dot1dBridge MIB objects by using a community string with a VLAN entity from a cluster member switch.

The workaround is to manually add the cluster community string with the VLAN entity on the member switches for all active VLANs shown in the show spanning-tree summary display. This is an example of such a change, where cluster member 3 has spanning tree on vlan 1-3, and the cluster commander community string is public@es3.

Switch(config)# snmp community public@es3@1 RO

Switch(config)# snmp community public@es3@2 RO

Switch(config)# snmp community public@es3@3 RO

•CSCeb84447 (Catalyst 2940 switches)

If a SFP-module interface is disabled, the interface on the connected device is still enabled.

There is no workaround.

•CSCed11617

When QoS and Differentiated Services Code Point (DSCP) marking is enabled on a Catalyst 2950 switch, ports 8, 16, 24, 32, 40, and 48 do not mark the correct DSCP values when transmitting frames.

There is no workaround.

•CSCef26565 (Catalyst 2950 switches)

On a Catalyst 2950 LRE switch running Cisco IOS Release 12.1(20)EA1 or later, the flowcontrol interface configuration commands only take effect when the LRE link comes up after being shut down.

If the switch configuration is saved and the switch restarts, this does not affect the switch. However, if the flow control configuration for an LRE port is changed and the switch is not rebooted, the commands do not take effect unless you shut down and bring up the LRE link.

The workaround is to enter the shutdown and no shutdown interface configuration commands on an interface after entering a flowcontrol interface configuration command, such as the flowcontrolreceive or the flowcontrolsend command.

•CSCeg15130

If multiple switches are configured in a multicast television application in which Multicast VLAN Registration (MVR) enabled and MVR ports are statically configured, IGMP leave messages are sent to the router, disrupting the multicast stream to the set-top boxes. If all of the MVR ports are dynamically configured, traffic to the set-top boxes is not disrupted.

There is no workaround.

•CSCeg41561

When a PC is attached to a switch through a hub, is authenticated on an 802.1x multiple-hosts port, is moved to another port, and is then attached through another hub, the switch does not authenticate the PC.

The workaround is to decrease the number of seconds between re-authentication attempts by entering the dot1x timeout reauth-period seconds interface configuration command.

•CSCeg49056 (Catalyst 2950 LRE switches)

The switch reloads when this message appears:

Signal 5, Exception code (0x0024)!, PC 0x80565714

There is no workaround.

•CSCeg52581

If you start a session on a switch cluster member by using the rcommand user EXEC command, the commands that you enter in the rcommand session are always allowed, irrespective of the authorization status.

There is no workaround.

•CSCeg53741

If frame sizes larger than 1518 bytes are received and the system MTU is configured as 1530 bytes, the counters display the packets as giants.

There is no workaround.

•CSCeg57925

The switch stops if a port that is assigned to the management VLAN does not have a corresponding access VLAN.

2. Create the management VLAN by using the no shutdown interface configuration command.

3. Assign a port to the management VLAN.

•CSCeg58877 (Catalyst 2950 switches)

If a switch uses rapid per-VLAN spanning tree plus (rapid-PVST+), a loop might occur when you reconfigure the allowed VLANs on a trunk and remove VLAN 1 from the trunk. If the loop occurs, only the keepalive packets from other Catalyst 2950 switches are looped in the network, and the links between these switches are error-disabled after they receive the keepalive packets.

The workaround is to not remove VLAN 1 from the trunk on a link with both ends in the up state or to disable the keepalive feature on the switch ports by using the keepalive interface configuration command.

When 802.1x is enabled on a port, spanning-tree Port Fast is added to the interface configuration. However, the Port Fast configuration now appears when a link up occurs and on remote ports in a switch.

•CSCee91720

The switch can now establish 802.1x authentication when these commands are configured on the 802.1x port:

When you set the duplex mode by using SNMP, the changes now appear in the output of the show interfaceinterface-id| include duplex and the show running interfaceinterface-id | include duplex commands.

•CSCef15273

When you enable 802.1x accounting by using the aaa accounting dot1x global configuration command and an 802.1x port changes state, you no longer see this traceback message:

%AAAA-3-TIMERNNOPER:AAA/ACCT/TIMER:No periodic update but timer set.

•CSCef58368

You can now set the port speed to autonegotiate by using SMNP.

•CSCef64461

If DHCP snooping is enabled on a switch, a redundant link is in the spanning-tree blocked state, and the link is configured to trust DHCP packets, the switch does not accept DCHP packets from the redundant link and no longer creates a broadcast storm by flooding the DHCP packets to other switch ports.

•CSCeg05171

When the voice VLAN feature is enabled on the switch, it now sends the multicast packets with the 802.1Q tag.

•CSCeg21451 (Catalyst 2950 and 2940 switches)

When a non powered Cisco IP Phone is connected to a switch that does not provide inline power, the interface no longer comes up when the down-when-looped interface configuration command is configured.

Note The down-when-looped interface configuration command is not supported on the Catalyst 2950G switch.

•CSCeg27165

The switch no longer restarts when you enter the auto qos voip cisco-phone interface configuration command.

•CSCeg40067

Both sides of a link no longer stay in the loop-inconsistent state under these conditions:

–Rapid PVST is being used.

–Loopguard is enabled, and there are multiple paths to the root bridge.

–The root is either removed from the network or its priority changes.

•CSCeg64282

The port security MIB no longer issues a trap for a security violation for a port that is configured in the protect mode.

This device manager caveat has been resolved in this release:

•CSCef78853

The front panels of switches or error dialogs no longer fail to appear when a semicolon (;), single quotation mark (`), or double quotation mark (") is used as part of the hostname, port description, SNMP system location, SNMP system contact, SNMP community strings, Telnet password, or switch password.

Documentation Updates

This section provides updates to the Catalyst 2950 and 2940 product documentation. These changes will be included in the next revision of the Catalyst 2950 and 2940 switch documentation for Release 12.1:

Note There have been no changes to the Catalyst 2955 hardware documentation in this release.

Corrections to the Software Configuration Guides

These are the corrections to the software guide:

•The "Configuring a System Name and Prompt" section and the "Configuring a System Prompt" section of the "Administering the Switch" chapter incorrectly state that you can manually configure the prompt global configuration command. The switches do not support this command. You should ignore this information in printed and online copies of the software configuration guides.

•In the "Configuring VLANs" chapter of the Catalyst 2950 and 2940 software configuration guides for Cisco IOS Release 12.1(19)EA1 and earlier, the examples that use the spanning-tree vlanvlan-idprioritypriority global configuration command are incorrect because they have a priority value that is not a multiple of 16. In these examples, the correct value for the priority parameter is a multiple of 16. The information in the Figure13-3 of the Catalyst 2940 software guide and Figure 17-3 of the Catalyst 2950 software guide is also incorrect. The correct value for the port priority is a multiple of 16. This information was corrected in the Catalyst 2950 and 2940 software configuration guides for Cisco IOS Release 12.1(20)EA1 and later.

Understanding the IGMP Configurable-Leave Timer

In Cisco IOS Release 12.1(22)EA2 and earlier, the IGMP snooping leave time was fixed at 5 seconds. If membership reports were not received by the switch before the query response time of the query expired, a port was removed from the multicast group membership. However, some applications require a leave latency of less than 5 seconds.

In Cisco IOS Release 12.1(22)EA3 and later, you can configure the time that the switch waits after sending a group-specific query to determine if hosts are still interested in a specific multicast group. The IGMP leave response time can be configured from 100 to 5000 milliseconds. The timer can be set either globally or on a per-VLAN basis. The VLAN configuration of the leave time overrides the global configuration.

IGMP Leave Timer Guidelines

Follows these guidelines when configuring the IGMP leave timer:

•You can configure the leave time globally or on a per-VLAN basis.

•Configuring the leave time on a VLAN overrides the global setting.

•The default leave time is 1000 milliseconds.

•The IGMP configurable leave time is only supported on hosts running IGMP Version 2.

•The actual leave latency in the network is usually the configured leave time. However, the leave time might vary around the configured time, depending on real-time CPU load conditions, network delays and the amount of traffic sent through the interface.

Follow these guidelines and restrictions when configuring the IGMP snooping querier:

•The IGMP snooping querier is disabled by default.

•Configure the VLAN in global configuration mode.

•Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the IP address as the query source address.

•If there is no IP address configured on the VLAN interface, the IGMP snooping querier tries to use the configured global IP address for the IGMP querier. If there is no global IP address specified, the IGMP querier tries to use the VLAN switch virtual interface (SVI) IP address (if one exists). If there is no SVI IP address, the switch uses the first available IP address configured on the switch. The first IP address available can be seen in the output of the show ip interface privileged EXEC command. The IGMP snooping querier does not generate a IGMP general query if it cannot find an available IP address on the switch.

•The IGMP snooping querier supports IGMP Versions 1 and 2.

•When administratively enabled, the IGMP snooping querier moves to the non querier state if it detects the presence of a multicast router in the network.

•When it is administratively enabled, the IGMP snooping querier moves to the operationally-disabled state under these conditions:

–IGMP snooping is disabled in the VLAN.

–PIM is enabled on the SVI of the corresponding VLAN.

Configuring the IGMP Snooping Querier (Catalyst 2955 Switches Only)

To enable the IGMP snooping querier feature in a VLAN, follow these steps:

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

ip igmp snooping querier

Enable the IGMP snooping querier.

Step 3

ip igmp snooping querier ip_address

(Optional) Specify an IP address for the IGMP snooping querier. If you do not specify an IP address, the querier tries to use the global IP address configured for the IGMP querier.

Note The IGMP snooping querier does not generate an IGMP general query if it cannot find an IP address on the switch.

Step 4

ip igmp snooping querier query-interval interval-count

(Optional) Set the interval between IGMP queriers. The interval range is from 1 to 18000 seconds.

Step 5

ip igmp snooping querier tcn query [count count | interval interval]

(Optional) Set the time (in seconds) between Topology Change Notification (TCN) queries. The count range is from 1 to 10. The interval range is from 1 to 255 seconds.

Step 6

ip igmp snooping querier timer expiry timeout

(Optional) Set the length of time (in seconds) until the IGMP querier expires.The range is from 60 to 300 seconds."

Step 7

ip igmp snooping querier versionversion

(Optional) Select the IGMP version number that the querier feature uses. Select 1 or 2.

Step 8

end

Return to privileged EXEC mode.

Step 9

show ip igmp snooping vlan vlan-id

(Optional) Verify that the IGMP snooping querier is enabled on the VLAN interface.

Step 10

copy running-config startup-config

(Optional) Save your entries in the configuration file.

This example shows how to set the IGMP snooping querier source address to 10.0.0.64 and to verify the configuration:

Switch# configure terminal

Switch(config)# ip igmp snooping querier 10.0.0.64

Switch(config)# end

This example shows how to set the IGMP snooping querier maximum response time to 25 seconds and to verify the configuration:

Switch# configure terminal

Switch(config)# ip igmp snooping querier query-interval 25

Switch(config)# end

This example shows how to set the IGMP snooping querier timeout to 60 seconds and to verify the configuration:

Switch# configure terminal

Switch(config)# ip igmp snooping querier timeout expiry 60

Switch(config)# end

This example shows how to set the IGMP snooping querier feature to version 2 and to verify the configuration:

Switch# configure terminal

Switch(config)# no ip igmp snooping querier version 2

Switch(config)# end

For more information about commands that support the IGMP querier feature, see these sections:

DHCP Snooping Enhancement

If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database.

When option-82 information is inserted by an edge switch in software releases earlier than Cisco IOS Release 12.2(25)SEA, you cannot configure DHCP snooping on an aggregation switch because the DHCP snooping bindings database will not be properly populated. You also cannot configure IP source guard and dynamic Address Resolution Protocol (ARP) inspection on the switch unless you use static bindings or ARP access control lists (ACLs).

In Cisco IOS Release 12.1(22)EA3 or later, when an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allowed-trust global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as DHCP snooping or IP source guard, can still be enabled on the aggregation switch while the switch receives packets with option-82 information on ingress untrusted interfaces to which hosts are connected. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.

Note Do not enter the ip dhcp snooping information option allowed-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.

Enabling DHCP Snooping and Option 82

Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch.

Note Step 5 was added in Cisco IOS Release 12.1(22)EA3 or later.

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

ip dhcp snooping

Enable DHCP snooping globally.

Step 3

ip dhcp snooping vlan vlan-range

Enable DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4094.

You can enter a single VLAN ID identified by VLAN ID number, a series of VLAN IDs separated by commas, a range of VLAN IDs separated by hyphens, or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space.

(Optional) If the switch is an aggregation switch connected to an edge switch, enable the switch to accept incoming DHCP snooping packets with option-82 information from the edge switch.

The default is disabled.

Note You must enter this command only on aggregation switches that are connected to trusted devices.

Step 6

interface interface-id

Enter interface configuration mode, and specify the interface to be configured.

Step 7

ip dhcp snooping trust

(Optional) Configure the interface as trusted or untrusted. You can use the no keyword to configure an interface to receive messages from an untrusted client. The default is untrusted.

Step 8

ip dhcp snooping limit rate rate

(Optional) Configure the number of DHCP packets per second than an interface can receive. The range is 1 to 2048. The default is no rate limit configured.

Note We recommend an untrusted rate limit of not more than 100 packets per second. If you configure rate limiting for trusted interfaces, you might need to increase the rate limit if the port is a trunk port assigned to more than one VLAN on which DHCP snooping is enabled.

Step 9

exit

Return to global configuration mode.

Step 10

ip dhcp snooping verify mac-address

(Optional) Configure the switch to verify that the source MAC address in a DHCP packet that is received on untrusted ports matches the client hardware address in the packet. The default is to verify that the source MAC address matches the client hardware address in the packet.

Step 11

end

Return to privileged EXEC mode.

Step 12

show running-config

Verify your entries.

Step 13

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlanvlan-range global configuration command. To disable the insertion and removal of the option-82 field, use the no ip dhcp snooping informationoption global configuration command. To configure an aggregation switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no ip dhcp snooping informationoption allowed-untrusted global configuration command.

Additions to the Command References

These commands were added or modified for the command references in this release:

ip dhcp snooping information option allowed-untrusted

Use the ip dhcp snooping information option allowed-untrusted global configuration command on an aggregation switch to configure it to accept DHCP packets with option-82 information from an edge switch. Use the no form of this command to configure the switch to drop these packets from the edge switch.

ip dhcp snooping information option allowed-untrusted

no ip dhcp snooping information option allowed-untrusted

Note Do not enter the ip dhcp snooping information option allowed-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.

Syntax Description

This command has no arguments or keywords.

Defaults

The switch drops DHCP packets with option-82 information from an edge switch.

Command Modes

Global configuration

Command History

Release

Modification

12.1(22)EA3

This command was introduced.

Usage Guidelines

You might want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You might also want to enable DHCP security features, such as DHCP snooping, IP source guard, or dynamic Address Resolution Protocol (ARP) inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted interface and does not learn DHCP snooping bindings for connected devices on a trusted interface.

If the edge switch to which a host is connected inserts option-82 information and you want to use DHCP snooping on an aggregation switch, enter the ip dhcp snooping information option allowed-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted interface. You can also enable DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted interface.

Examples

This example shows how to configure an access switch to not check the option-82 information in untrusted packets from an edge switch and to accept the packets:

Switch(config)# ip dhcp snooping information option allowed-untrusted

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command

Description

show ip dhcp snooping

Displays the DHCP snooping configuration.

show ip dhcp snooping binding

Displays the DHCP snooping binding information.

ip igmp snooping querier (Catalyst 2955 Switches Only)

Use the ip igmp snooping querier global configuration command to globally enable the Internet Group Management Protocol (IGMP) querier function in Layer 2 networks. Use the command with keywords to enable and configure the IGMP querier feature on a VLAN interface. Use the no form of this command to disable the IGMP querier feature or to reset the parameters to the default settings.

Syntax Description

(Optional) Specify a source IP address. If you do not specify an IP address, the querier tries to use the global IP address configured for the IGMP querier.

ip-address

Source IP address for the querier.

max-response-time response-time

(Optional) Set the maximum time to wait for an IGMP querier report. You can set a response time from 1 to 25 seconds.

query-interval interval-count

(Optional) Set the interval between IGMP queriers. You can set a count from 1 to 18000 seconds.

tcn query

(Optional) Set the time (in seconds) between Topology Change Notification (TCN) queries.

count count

(Optional) Set the number of TCN queries to be executed during the TCN interval time. You can set a count from 1 to 10.

interval interval

(Optional) Set the TCN query interval time. You can set a time (in seconds) from 1 to 255.

timer expiry

(Optional) Set the length of time until the IGMP querier expires.

versionversion

(Optional) Select the IGMP version number that the querier feature uses. Select 1 or 2.

Defaults

The IGMP snooping querier feature is globally disabled on the switch.

When enabled, the IGMP snooping querier disables itself if it detects IGMP traffic from a multicast-enabled device.

Command Modes

Global configuration

Command History

Release

Modification

12.2(25)SEA

This command was introduced.

Usage Guidelines

Use this command to enable IGMP snooping to detect the IGMP version and IP address of a device that sends IGMP query messages, which is also called a querier.

By default, the IGMP snooping querier is configured to detect devices that use IGMP Version 2 (IGMPv2) but does not detect clients that are using IGMP Version 1 (IGMPv1). You can manually configure the max-response-time value when devices use IGMPv2. You cannot configure the max-response-time when devices use IGMPv1. (The value cannot be configured and is set to zero).

Non-RFC-compliant devices running IGMPv1 might reject IGMP general query messages that have a nonzero value as the max-response-time value. If you want the devices to accept the IGMP general query messages, configure the IGMP snooping querier to run IGMPv1.

Examples

This example shows how to globally enable the IGMP snooping querier feature:

Switch(config)# ip igmp snooping querier

This example shows how to globally disable the IGMP snooping querier feature:

Switch(config)# no ip igmp snooping querier

This example shows how to set the IGMP snooping querier maximum response time to 25 seconds:

Switch(config)#ip igmp snooping querier max-response-time 25

This example shows how to set the IGMP snooping querier interval time to 60 seconds:

Switch(config)# ip igmp snooping querier query-interval 60

This example shows how to set the IGMP snooping querier TCN query count to 25:

Switch(config)# no ip igmp snooping querier tcn count 25

This example shows how to set the IGMP snooping querier timeout to 60 seconds:

Switch(config)# ip igmp snooping querier timeout expiry 60

This example shows how to set the IGMP snooping querier feature to version 2:

Switch(config)# no ip igmp snooping querier version 2

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command

Description

ip igmp snooping report-suppression

Enables IGMP report suppression.

show ip igmp snooping

Displays the IGMP snooping configuration.

show ip igmp snooping groups

Displays the IGMP snooping router ports.

show ip igmp snooping groups

Displays IGMP snooping multicast information.

ip igmp snooping last-member-query interval

Use the ip igmp snooping last-member-query-interval global configurationcommand to enable the Internet Group Management Protocol (IGMP) configurable-leave timer globally or on a per-VLAN basis. Use the no form of this command to return the IGMP configurable-leave timer to the default setting.

ip igmp snooping vlan vlan-id last-member-query-interval time

no ip igmp snooping vlan vlan-id last-member-query-interval

Syntax Description

vlan-id

VLAN ID value. The range is 1 to 1005 when the standard software image (SI) is installed and 1 to 4094 when the enhanced software image (EI) is installed.

time

Interval time out in seconds. The range is 100 to 5000 milliseconds.

t

Defaults

The default timeout setting is 1000 milliseconds.

Command History

Release

Modification

12.1(22)EA3

This command was introduced.

Usage Guidelines

When IGMP snooping is globally enabled, IGMP snooping is enabled on all the existing VLAN interfaces. When IGMP snooping is globally disabled, IGMP snooping is disabled on all the existing VLAN interfaces.

Configuring the leave timer on a VLAN overrides the global setting.

The IGMP configurable leave time is only supported on devices running IGMP Version 2.

The configuration is saved in NVRAM.

Examples

This example shows how to globally enable the IGMP leave timer for 2000 milliseconds:

Switch# configure terminal

Switch(config)# ip igmp snooping last-member-query-interval 2000

Switch(config)# end

This example shows how to configure the IGMP leave timer for 3000 milliseconds on VLAN 1:

show ip igmp snooping

Note Beginning with Cisco IOS Release 12.2(22)EA3, the value of the IGMP configurable-leave timer is displayed in the output of the show ip igmp snooping command.

Use the show ip igmp snoopinguser EXEC command to display the Internet Group Management Protocol (IGMP) snooping configuration of the switch or the VLAN. Use the mrouterkeyword to display the dynamically learned and manually configured multicast router ports.

(Optional) Display information about the IGMP version that an interface supports.

vlan vlan-id

(Optional) Keyword and variable to specify a VLAN. On Catalyst 2940 switches, the range is 1 to 4094. On Catalyst 2950, 2950-LRE, and 2955 switches, the range is and 1 to 1005 when the standard software image (SI) is installed and 1 to 4094 when the enhanced software image (EI) is installed. This keyword is available only in privileged EXEC mode.

| begin

(Optional) Display begins with the line that matches the specified expression.

Use the group keyword to display the multicast groups, the compatibility mode, and the ports that are associated with each group.

Use the show ip igmp snooping querier command to display the IGMP version and IP address of a detected device that sends IGMP query messages, also called a querier. A subnet can have multiple multicast routers but has only one IGMP querier. In a subnet running IGMPv2, one of the multicast routers is elected as the querier. The querier can be a Layer 3 switch. Thecommand output also shows the VLAN and interface on which the querier was detected. If the querier is a multicast router, the output shows the Port field as Router.

Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.

Examples

This is an example of output from the show ip igmp snooping command:

Switch> show ip igmp snooping

Global IGMP Snooping configuration:

-----------------------------------

IGMP snooping : Enabled

IGMPv3 snooping (minimal) : Enabled

Report suppression : Enabled

TCN solicit query : Disabled

TCN flood query count : 2

Last member query interval : 100

Vlan 1:

--------

IGMP snooping :Enabled

Immediate leave :Disabled

Multicast router learning mode :pim-dvmrp

Source only learning age timer :10

Last member query interval :100

CGMP interoperability mode :IGMP_ONLY

Vlan 2:

--------

IGMP snooping :Enabled

Immediate leave :Disabled

Multicast router learning mode :pim-dvmrp

Source only learning age timer :10

CGMP interoperability mode :IGMP_ONLY

Last member query interval : 333

<output truncated>

This is an example of output from the show ip igmp snooping vlan 1 command:

Switch# show ip igmp snooping vlan 1

Global IGMP Snooping configuration:

-----------------------------------

IGMP snooping : Enabled

IGMPv3 snooping (minimal) : Enabled

Report suppression : Enabled

TCN solicit query : Disabled

TCN flood query count : 2

Last member query interval : 100

Vlan 1:

--------

IGMP snooping :Enabled

Immediate leave :Disabled

Multicast router learning mode :pim-dvmrp

Source only learning age timer :10

Last member query interval : 100

CGMP interoperability mode :IGMP_ONLY

This is an example of output from the show ip igmp snooping mrouter vlan 1 command:

Note In this example, Fa0/3 is a dynamically learned router port, and Fa0/2 is a configured static router port.

Switch# show ip igmp snooping mrouter vlan 1

Vlan ports

---- -----

1 Fa0/2(static), Fa0/3(dynamic)

This is an example of output from the show ip igmp snooping group vlan 1 command:

Switch# show ip igmp snooping group vlan 1

Vlan Group Version Port List

---------------------------------------------------------

1 229.2.3.4 v3 fa0/1 fa0/3

1 224.1.1.1 v2 fa0/8

This is an example of output from the show ip igmp snooping querier command:

Switch> show ip igmp snooping querier

Vlan IP Address IGMP Version Port

---------------------------------------------------

1 172.20.50.11 v3 fa0/1

2 172.20.40.20 v2 Router

Related Commands

Command

Description

ip igmp snooping

Enables IGMP snooping.

ip igmp snooping report-suppression

Enables IGMP report suppression.

ip igmp snooping source-only-learning

Enables IP multicast-source-only learning on the switch.

ip igmp snooping source-only-learning age-timer

Enables and configures the aging time of the forwarding-table entries that the switch learns by using the source-only learning method.

ip igmp snooping vlan vlan-id

Enables IGMP snooping on the VLAN interface.

ip igmp snooping vlan immediate-leave

Configures IGMP Immediate-Leave processing.

ip igmp snooping vlan mrouter

Configures a Layer 2 port as a multicast router port.

show mac address-table multicast

Displays the Layer 2 multicast entries for a VLAN.

show ip igmp snooping querier detail (Catalyst 2955 Switches Only)

Use the show ip igmp snoopingquerier detail user EXECcommand to display the configuration and operation information for the IGMP querier configured on a switch.

show ip igmp snooping querier detail

Syntax Description

| begin

(Optional) Display begins with the line that matches the expression.

| exclude

(Optional) Display excludes lines that match the expression.

| include

(Optional) Display includes lines that match the specified expression.

expression

Expression in the output to use as a reference point.

Command Modes

User EXEC

Command History

Release

Modification

12.2(25)SEA

This command was introduced.

Usage Guidelines

The show ip igmp snooping querier detail user EXEC command is similar to the show ip igmp snooping querier command. However, the show ip igmp snooping querier only displays the IP address of the most recent device detected by the switch querier.

The show ip igmp snooping querier command detail displays the IP address of the most recent device detected by the switch querier along with this additional information:

•the elected IGMP querier in the VLAN

•the configuration and operational information pertaining to the switch querier (if any) that is configured in the VLAN

Expressions are case sensitive. For example, if you enter | exclude output, the lines that contain output do not appear, but the lines that contain Output appear.

Examples

This is an example of output from the show ip igmp snooping querier detail command:

Switch> show ip igmp snooping querier detail

Vlan IP Address IGMP Version Port

-------------------------------------------------------------

1 1.1.1.1 v2 Fa8/0/1

Global IGMP switch querier status

--------------------------------------------------------

admin state : Enabled

admin version : 2

source IP address : 0.0.0.0

query-interval (sec) : 60

max-response-time (sec) : 10

querier-timeout (sec) : 120

tcn query count : 2

tcn query interval (sec) : 10

Vlan 1: IGMP switch querier status

--------------------------------------------------------

elected querier is 1.1.1.1 on port Fa8/0/1

--------------------------------------------------------

admin state : Enabled

admin version : 2

source IP address : 10.1.1.65

query-interval (sec) : 60

max-response-time (sec) : 10

querier-timeout (sec) : 120

tcn query count : 2

tcn query interval (sec) : 10

operational state : Non-Querier

operational version : 2

tcn query pending count : 0

Related Commands

Command

Description

ip igmp snooping

Enables and configures IGMP snooping on the switch or on a VLAN.

show ip igmp snooping

Displays IGMP snooping multicast router ports for the switch or for the specified multicast VLAN.

show ip igmp snooping

Displays IGMP snooping multicast information for the switch or for the specified parameter.

Related Documentation

These documents provide complete information about the Catalyst 2955, 2950, and 2940 switches and are available at Cisco.com:

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Documentation DVD

Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.

Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

•Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0501R)